Bug 1372129 (CVE-2016-6348)

Summary: CVE-2016-6348 RESTEasy: Use of JacksonJsonpInterceptor in RESTEasy can lead to Cross Site Script Inclusion attack
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, alazarot, alee, aszczucz, bbaranow, bcourt, bdawidow, bkearney, bmaxwell, bmcclain, cbillett, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dosoudil, drieden, eedri, epp-bugs, etirelli, fnasser, gvarsami, huwang, java-sig-commits, jawilson, jboss-set, jcoleman, jdg-bugs, jmatthew, jolee, jpallich, jshepherd, katello-bugs, kverlaen, ldimaggi, lgao, lsurette, lzap, mbaluch, mgoldboi, mhulan, michal.skrivanek, mmccune, mstead, mweiler, mwinkler, myarboro, nwallace, ohadlevy, pdrozd, pkliczew, pslavice, puntogil, rcernich, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, satellite6-bugs, soa-p-jira, sthorger, tcunning, theute, tkirby, tlestach, tomckay, tsanders, ttarrant, twalsh, vtunka, weli, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: resteasy 3.1.0.CR1, resteasy 3.0.20.Final Doc Type: If docs needed, set a value
Doc Text:
It was found that in some configurations the JacksonJsonpInterceptor is activated by default in RESTEasy. An attacker could use this flaw to launch a Cross Site Scripting Inclusion attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:54:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1372130, 1471279, 1471280, 1481780, 1914374    
Bug Blocks: 1371804, 1372141, 1372565, 1372568, 1372571    

Description Jason Shepherd 2016-09-01 01:25:17 UTC 
It was found that in some configurations the JacksonJsonpInterceptor is activated by default in RESTEasy. An attacker could use this flaw to launch a Cross Site Scripting Inclusion attack.
Comment 1 Jason Shepherd 2016-09-01 01:26:08 UTC 
Acknowledgments:

Name: Mikhail Egorov (Odin)
Comment 2 Jason Shepherd 2016-09-01 01:27:47 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1372130]
Comment 4 Kurt Seifried 2017-07-14 21:16:11 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1471279]
Comment 6 Kurt Seifried 2017-08-15 17:09:55 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1481780]